Beruflich Dokumente
Kultur Dokumente
Release: NetScreen-Remote 9.0R5 Release Status: Public Part Number: 093-1474-000, Rev. I Date: 1/28/2010
1. Contents
5.1 Addressed Issues in NetScreen-Remote 9.0R5 ..........................................................................8 5.2 Addressed Issues in NetScreen-Remote 9.0R4 ..........................................................................8 5.3 Addressed Issues in NetScreen-Remote 9.0R3 ..........................................................................9 5.4 Addressed Issues in NetScreen-Remote 9.0R2 ..........................................................................9 5.5 Addressed Issues in NetScreen-Remote 8.8 ..............................................................................9 5.6 Addressed Issues in NetScreen-Remote 8.7 ............................................................................ 10 5.7 Addressed Issues in NetScreen-Remote 8.6 ............................................................................ 11 5.8 Addressed Issues in NetScreen-Remote 8.5 ............................................................................ 12 5.9 Addressed Issues in NetScreen-Remote 8.4 ............................................................................ 12 5.10 Addressed Issues from NetScreen-Remote 8.3 ...................................................................... 13 5.11 Addressed Issues from NetScreen-Remote 8.2 ...................................................................... 15 5.12 Addressed Issues from NetScreen-Remote 8.0r1 ................................................................... 17
7. Getting Help........................................................................................................ 39
Known Limitations for NetScreen-Remote 8.8 ......................................................................... 19 Known Limitations for NetScreen-Remote 8.7 ......................................................................... 19 Known Limitations for NetScreen-Remote 8.6 ......................................................................... 20 Known Limitations for NetScreen-Remote 8.5 ......................................................................... 21 Known Limitations for NetScreen-Remote 8.4 ......................................................................... 21 Compatibility Issues in NetScreen-Remote .............................................................................. 22 6.6.1 Supported Windows Versions ....................................................................................... 22 6.6.2 Unsupported Windows Versions (Not Y2K-Compliant) .................................................... 22 6.6.3 Juniper NetScreen Platform .......................................................................................... 22 6.6.4 Network Interface Card ............................................................................................... 22 6.6.5 Common Compatibility and Configuration ..................................................................... 23 6.6.6 Known Issues in NetScreen-Remote 9.0 ....................................................................... 26 6.6.7 Known Issues in NetScreen-Remote 8.8........................................................................ 29 6.6.8 Known Issues in NetScreen-Remote 8.7........................................................................ 29 6.6.9 Known Issues in NetScreen-Remote 8.6 ....................................................................... 31 6.6.10 Known Issues in NetScreen-Remote 8.5 ...................................................................... 32 6.6.11 Known Issues in NetScreen-Remote 8.4 ...................................................................... 33 6.6.12 Known Issues from NetScreen-Remote 8.3 ................................................................. 35 6.6.13 The following are known issues from the SafeNet known issues documentation. ........... 35 6.6.14 Known Issues from NetScreen-Remote 8.2 ................................................................. 36
2. Version Summary
Juniper Networks NetScreen-Remote 9.0 is the latest release version of NetScreen-Remote, a Virtual Private Network remote access client for connecting client PCs or laptops to any IP network through a VPN connection to a NetScreen device or other secure communications with other devices running NetScreen-Remote. It supports industry standard IPSec, L2TP, and IKE protocols for tunneling and transport layer security as well as key exchange. It is ideal for road warrior access on laptops to networks from remote locations and supports any Internet ISP through modem, DSL, or wireless access-point. The NetScreen-Remote Security Installation and Administrator Guides detail setup and configuration of NetScreen-Remote. For additional tips, see the NetScreen Knowledge Base located on the Juniper Networks customer support web page. Consult the online help document available through the NetScreen-Remote taskbar menu. To go to the Juniper Networks and NetScreen-Remote support pages, use the following URLs: http://www.juniper.net/support
DWORD number None (0), Overlapping (1), All (2) None (0) Only effected for connections using the Virtual Adapter (VA) 0: No special routing adjustments for LAN traffic 1: Route overlapping LAN traffic to the VA 2: Route all LAN traffic to the VA Windows
SafeNet CSP Library (FIPS) v3.1.0b22 SafeNet CSP Library (Non-FIPS) v3.0.1b22 SafeNet Security Policy Editor v1.3.2 B02 SafeNet Certificate Manager v1.3.2 B02 Deterministic Networks (DNE) shim v2.20 Layer 2 Tunneling Protocol (L2TP) v4.29
It also contains the following Sygate component in it: Sygate 5.5 Build v2634
corporate network while in the office and use a VPN connection for remote access to the same network. URL Policy Retrieval Allows the user to configure the client with a Policy URL. The policy that is in the web address of a policy file which can be retrieved automatically via HTTP by the client. The policy file is retrieved periodically at an interval determined by a registry setting. NAT-T Draft 2 Support This release adds support for the latest IETFNAT Traversal (NAT-T) draft. Draft 2 enhances the ability of IPSec sessions to transit IPSec-aware NAT devices, such as those commonly found in SOHO installations. This release maintains backward compatibility with NAT-T draft 1 implementations. Maintenance Release Bug fixes as listed in the Addressed Issues section.
5. Addressed Issues
The following sections identify which major bugs have been fixed in each release of NetScreen-Remote. If there is no subsection for a particular NetScreen-Remote release, that release included no addressed issues.
pin when using automatic certificate selection QA025514 Text is truncated in error message generated after incorrect pin is entered on Windows XP QA025557 IREIKE crash QA025656 Connect on logon using CERTPIN takes longer than necessary to logon even when (in the background) client has connected successfully to remote party QA025681 Secure domain logon does not work with certificates not located on smart card QA025689 Connection logon fails when using certificate on smart card QA025793 Double phase-2 rekey exchange after phase-1 collision QA025804 Inbound Phase-1 rekeys may be inappropriately deleted QA025791 Generated invalid SPI notifications have the SPI in the wrong byte order QA025845 Data-based key anticipation may stall QA025846 Key addition for a manual connection is not appropriate QA025852 Phase-2 rekey does not work properly when 2 or more connections share the same phase-1 QA025856 IREIKE service may not accurately detect, clear keys at logoff QA025875 BAS-1: Xauth prompts should be squelched while user is remedying failed compliance checks
gateways (and RGW'S). QA022549 VPN -Import notified spdedit to update its display. QA021863 Traffic-based key requests to remote subnet overlapping physical subnet required arp response. QA021864 When mode config with VA overlapped a physical subnet, the traffic was not directed to the VA. QA022472 Supported subj_dn in XAUTHNAME policy item. QA022725 Maintained encrypted pre-shared key in memory. QA021399 Connections with an expired PH1 were not displayed on the disconnect menu. QA021443 Client was not interoperable with Keon CA. QA021481 LBR Local Broadcast Relative does not work on last octet only. QA021482 On Windows ME, VPN-deactivated results in an already deactivated message.
19717 The NetScreen-Remote system incorrectly displayed a Multiple XAUTH prompt when the machine was left idle and the policy was configured for RGW. When the device timed out, you were unable to log backinto the device. 19336 NetScreen-Remote incorrectly sent an ARP (Address Resolution Protocol) packet to a local +1 IP address. 19323 The Nokia PCMCIA GPRS Adapter D211 was incompatible with NetScreen-Remote. N/A The system was unable to log back in after a timeout. QA019598 An SPD file could be incorrectly unlocked via command line. QA4721 You could not use RSA SecurID passcodes greater than 10 digits. QA4612/QA4652/QA4661 An error occurred when validating the proxy ID. QA020611 Under some conditions, packets failed because of validation errors. QA020599 Traffic initiated connections may have led to an inappropriate initiation of early manual-only connections. QA020593 When a remote party ID is set to an IP address range, the client incorrectly acted as a responder filter table. QA020571 The spdedit.exe file closed when more than 16 characters were entered in the gateway IP address. QA020308 CERTMGR incorrectly displayed the retrieve button enabled for filebased CERT requests. QA020299 IPSECON attempted to retrieve the CERT for file-based CERT requests. The log filled up with error messages. QA020295 Removing the IKEY 1000 while configured for SMARTCARD removal, did not clear the IPSec keys. QA020243 Certificate requests did not occur at the prescribed interval set by the CERT request polling interval. QA020233 Declining at the CERT Addition dialog box left a request in the request storage area. QA020226 The CERTMGR failed when generating a CERT request with SMARTCARD CSP w/o the reader card. QA020155 When changing policy from 'SECURE ALL CONNECTIONS' back to 'SPECIFIED CONNECTIONS', the 'OTHER CONNECTIONS' parameter remained set to secure. QA020147 IREIKE crash during startup when Other Connections were secure. QA020085 File copy traffic to mapped drive over secure connection causes client to do excessive QM rekeys. QA018812 Windows XP logoff caused intermittent ifcfg.exe application errors. When logging off on Windows XP, you intermittently received application errors associated with the interface configuration ifcfg.exe executable file.
lower manual connection. QA004748 The NetScreen-Remote client packet log sometimes contained extraneous characters. QA004747 The NetScreen-Remote client did not guard against attribute payload overflow. QA004746 The NetScreen-Remote client did not guard against buffer overflow in HASH_R processing. QA004745 The NetScreen-Remote client did not guard for NAT-D payload overflow. 7018 When configuring a VPN resource with a service group in Global PRO, when the software transmitted to the NetScreen-Remote environment that no services were configured. 5457 The client loaded the wrong SPI number when proposals for AH andESP were in the same policy. 5458 The IPSecMon monitoring utility failed when retrieving policy or certificates. 5454 The SPDEdit facility incorrectly chose the first certificate with the same label, regardless of the container ID. 5443 The SPDedit Other Connection ID type when set to Any Gateway IP Address remained enabled after clearing the Connect Using checkbox. 5438 You could not save any changes or add a remote gateway associated with a Ghost save and remote gateway buttons after importing an unlocked policy over a locked policy. 5367 Auto-retrieval of an MSCEP certificate did not work. 5221 The vpn.exe executable file causes a fatal application error when running vpn.bat from a command prompt. 5183 The system was unable to release and renew IP addresses or renewals of DHCP leases, 4733 Windows 2000 and Windows XP DNE MTU Adjust does not accommodate enough overhead for all connection types. 4721 RSA Secure-ID Passcode was truncated for Secure ID. 4705 The Secure All types of manual connections to the 2nd or 3rd connection tried to establish a connection to the first connection. 4704 Windows 2000 and XP Net Login Error 5719 in event viewer caused single sign-on applications to fail. 4679 CA certificates imported into the personal certificate store with Internet Explorer caused Certificate Manager to crash when opening the personal CA certificate. 4678 Multiple XAUTH prompts were presented to the user when XAUTH was not completed. 4677 Quick Mode started before the extended authentication process completed. 4676 The interface detection mechanism failed on RAS devices introduced after the reboot. 4668 The NSladapssl32v30.dll dynamic link file included with the NetScreenRemote client was not compatible with Sun or IPlanet 5.1 or later. 4667 NetScreen-Remote clients using VRS (internal IP) with no virtual adapter could not pass fragmented UDP traffic. 4556 The remote gateway connections were not recognized in manual connections. 4173 TDES and DES with manual keys failed with all hash algorithm and generated the following error message: Error importing outbound key entry. 4170 In a remote party ID with the connection using setting checked, the wrong default ID types were listed.
4162 You could not maintain a virtual adapter while processing initial contact and while it was in responder mode. 4161 NetScreen-Remote has eliminated residual active virtual adapters that have no SA. 4103 You could not enter and save PSK on Windows XP. 4005 NetScreen-Remote has a mechanism that prevents the creation of duplicate connection names.
the specified root certificate store. 5385 The client did not properly enforce the validation of the ID specified in the client and the one sent from the gateway when using certificates. 5384 Realtek 8139 NIC did not get responses to 1460 byte pings. 5383 When using an operating system developed in the German language, the NetScreen-Remote device displayed the following message: Cannot use the SafeNet Virtual Adapter on German OSs 5359 The system was unable to locate the vapnt.sys file during the installation. 5322 The route addition failure message occurred when failing over to a remote gateway when the primary Gateway did not require a route addition. 5321 Second key requests were generated when failing over to a remote gateway/sub network connection creating a dynamic entry with a mask of all ones. 5320 Proper routes were not added to connections using virtual adapter and remote gateway when recovering back to the primary gateway from a remote gateway connection using a virtual adapter. 5315 An SCEP request failed and Certificate Manager would close when logged on as a regular user on Windows NT, Windows 2000 and Windows XP. 5229 The connection failed over to the remote gateway when the hostname was not found. 5212 Certification Revocation List (CRL) imports failed to import on W2K when you logged on as a regular user. 5209 Custom installs were not supported on systems that did not have a C: drive. 5208 Secure Gateway Tunnel information was lost when connections were set to blocked and then back to secure. 5202 CERT Vulnerability VU#287771: Large number of payloads and a large SPI value forced the system to fail. The failure ID was IREIKE. 5185 Entering a connection name with 93 characters or more caused the policy editor not to open and caused invalid page faults when running on the Windows 98 platform. 5165 Using the AOL dialup environment, the virtual adapter connections failed with errors because they were unable to determine a tunnel gateway. 5158 Users without administrator privileges could not open the policy editor on non-English versions of Windows 2000. 5139 The virtual adapter failed to build if the DUN connection was configured to only be used by one person. 5137 If Microsoft DUN was configured with an alternate phone number, the virtual adapter would not be built. 5104 The remote gateway name field did not limit the amount of characters entered and caused SPDedit to crash when saving the remote gateway with large names. 4992 Viewing the log debug message recv fail rlen -1 resulted in the user being unable to establish a VPN connection over a modem. 4966 The system could not map drives to Windows NT or Windows 2000 servers on Windows XP and Windows 2000 clients using the virtual adapter. 4964 Users had full control of Certificate Manager with fully locked policies. 4962 The system could not export PKCS12 certificates to the default path C:\Temp\Cert.p12 if the Temp directory did not exist. 4943 A connection displayed incorrectly when changing from a secure connection using gateway to the Blocked setting. 4936 Connections with the gateway hostname and ID type Any used a previously entered gateway IP address for session establishment.
4935 No attempt was made to resolve the gateway hostname if the ID type was set to the Any setting and you selected the gateway hostname. 4929 On Windows XP, importing a PKCS12 file from the command line failed. 4892 Internet PPPoE client did not work with NetScreen-Remote when using the virtual adapter. 4857 The CMD.exe executable program failed at times when working with SPDedit on systems that had their policy loading from a floppy disk. 4797 If a policy was locked and you accessed the global policy settings, the SPDedit facility failed. 4791 The system could not initiate Aggressive Mode when set to Autocert. 4735 IKE traffic would not occur after a policy was imported through the GUI. 4734 A secure gateway tunnel domain name or IP address changed when a connection was set to Blocked and then changed back to Secure. 4711 When you edited the IP address in the right control region and then changed connections, the system lost edits. 4672 Session establishment with the virtual adapter failed on initial use. 3972 An L2TP connection mislabeled the adapter in Windows 2000 and Windows ME. 5458 The IPSecMon monitoring utility failed when retrieving policy or certificates. 5457 The client loaded the wrong SPI number when proposals for AH and ESP were in the same policy. 5454 The SPDEdit facility incorrectly chose the first certficate with the same label, regardless of the container ID. 5443 The SPDedit Other Connection ID type when set to Any Gateway IP Address remained enabled after clearing the Connect Using checkbox. 5438 You could not save any changes or add a remote gateway associated with a Ghost save and remote gateway buttons after importing an unlocked policy over a locked policy. 5367 Auto-retrieval of an MSCEP certificate did not work. 5221 The VPN.exe executable file causes a fatal application error when running VPN.bat from a command prompt. 5183 The system was unable to release and renew IP addresses or renewals of DHCP leases. 4892 An Enternet PPPoE client did not work with a NetScreen-Remote client when using the virtual adapter. 4858 Prompts for Double and Triple XAUTH occurred on connections that failed over to a remote gateway.
4634 Warning messages during a client installation about the NetScreen-Remote virtual adapter and DNE were not signed by Microsoft. 4593 The IFconfig utility included with NetScreen-Remote was not compatible with Windows XP Pro and Windows XP Home. 4460 Help was in the always on top state when not minimized. This state did not allow you to view system Help and configure the system simultaneously.
6. Known Issues
This section describes known issues with the current release. Known Limitations are issues that identify features that are not fully functional at the present time, and will be unsupported for this release. NetScreen recommends that you do not use these features. Compatibility Issues are known compatibility issues with other products, including but not limited to specific NetScreen appliances, other versions of ScreenOS, Internet browsers, NetScreen management software and other vendor devices. Whenever possible, information is provided for ways to avoid the issue, minimize its impact, or in some manner work around it. Known Issues are deviations from intended product behavior as identified by Juniper Test Technologies through their verification procedures. Again, whenever possible, information is provided to assist the customer in avoiding or otherwise working around the issue.
Description: Installing PPPoE software on a computer that already has the SoftRemote Client installed removes some network components. Workaround: If the computer does not have the SoftRemote client installed, install the PPPoE software before you install the SoftRemote client. If the client is already installed, remove the client and save the IPSec policy when prompted. After your computer reboots, install the PPPoE software, and then install the client again. Compatibility issues with EarthLink software Description: The client is incompatible with EarthLink Internet software, version 5.02. Workaround: EarthLink can still be accessed through a standard dial-up networking configuration. Uninstall the EarthLink software. EarthLink Technical Support is aware of the situation. Contact EarthLink for help in setting up a standard dial-up configuration for EarthLink access. Compatibility issues with Sony Vaio and 3COM 3CCFE575CT CardBus PC Card Description: The 3COM 3CXFE575CT 10/100 LAN CardBus PC Card is not compatible with Sony Vaio notebook computers. After the client is installed, the computer requires an Ethernet cable to be attached in order to boot. This NIC card works fine in other computers. Workaround: Use hardware profiles to disable the NIC card, or remove the NIC card when the computer is not attached to the network. RequestLocalAddress failure and dialup interfaces are not detected properly in the Log Viewer on clients that also have the Nortel client installed and DN is bound to the Nortel IPSECSHM Description: Cannot connect using Windows 2000 and XP RAS connections when DN is bound to the Nortel IPSECSHM. Workaround: In the Windows Device Manager, if the IPSECSHM - Deterministic Network Enhancer Miniport is disabled, the dialup interface will be detected properly and sessions will establish.
Juniper recommends installing the latest Windows service pack, dial-up networking upgrade, and Internet Explorer version.
This version should be compatible with all NDIS-compliant Ethernet network interface cards (NICs). Plug and play is supported on Windows 95, 98, Me, and 2000 only. Plug and play is not supported on notebook computers running Windows NT.
User Configures Incorrect Date/Time Setting when using Certificates When creating a certificate request, it is important to verify that the date/time of the machine requesting the certificate is valid. If the time of the machine is fast, then the time and date stamped on the certificate may not yet be valid. It is also important to verify time-zone information is correct for both NetScreen-Remote Clients and the NetScreen device. Network Interface Card (NIC) Compatibility NetScreen-Remote should be compatible with all NDIS compliant Ethernet NICs (NICs tested for NetScreenRemote). Only plug and play on Windows 95, 98, ME and 2000is supported. Plug and play on notebook computers running Windows NT isnot supported. Coexistence (i.e. encryption over 20 the dial-up adapter) withToken Ring cards is supported. Windows XP Internet Connection Firewall With Virtual Adapter You must configure on your virtual adapter a firewall with the Windows XP Internet Connection Firewall if the connection used to create a virtual adapter or the device is dropping packets. Driver Signing Warnings on Windows XP with Security Patch MS02-50 Earlier versions of the MS02-50 security patch on Windows XP caused unsigned driver messages when installing the NetScreen-Remote client. W/A: Download the latest MS02-50 patch from the following page on the Microsoft web site: http://www.microsoft.com/technet/treeview/default.asp/url=/technet/security/bull etin/MS02-050.asp Nortel Contivity VPN Switch The elements of the Distinguished Name (DN) sent by the switch are not in the standard order expected by the client. When entering the DN in the Connect dialog box using the Nortel Contivity VPN Switch group, click Enter Subject Name in LDAP Format check box. Make sure that the order of the elements matches the order from the switch, for example: W/A: The Nortel switch's firmware version 3.5 or later, with Keep Alivesdisabled, is required. If a message regarding invalid hash length appears in the LogView, this means that the Keep Alive feature is enabled. The Keep Alives option is controlled through the IPSec section of the Group profile.The menu item in IPSec is called Enable Client Failover Tuning.
New Virtual Adapter Features Not Updated for Users Performing Upgrade New routing information is not added to the existing Virtual Adapter connection in the Dialup Networking properties environment. W/A: Delete any virtual adapter connections from the Dialup Networking environment. A new virtual adapter connection is created on the next connection that utilizes the virtual adapter with all of the new settings.
Errors When Gateway Sends Certificates With More Than 1,024 Bits Without Microsoft Enhanced CSP Log Viewer errors and connection failures
occur on the client when the gateway sends certificates larger than 1,024 bits on computers that dont have a 128-bit version of Microsoft Internet Explorer installed. Log errors cannot acquire enhanced provider verify context, and signature verification fails. W/A: For gateways that send certificates larger than 1,024 bits to the client, upgrade to the 128-bit version of Internet Explorer, which includes the Microsoft Enhanced CSP. Automatic Certificate Selection May Not Work in Aggressive Mode Since Aggressive Mode sends an ID payload in the first initiator packet, and no explicit certificate is selected, the session may fail. The client makes a best guess and selects the first certificate that meets the specified ID type (DN, e-mail, IP address, etc.). This certificate may or may not be a valid certificate. W/A: Manually select the certificate when using Aggressive Mode or limit your certificates to one in NetScreen-Remote Certificate Manager. Sony PCG-SRX77P laptop with an integrated modem and NIC NetScreenRemote will not install properly on Sony PCG-SRX77P laptop PCs with the on-board network interface card enabled. W/A: To use NetScreen-Remote on this device, disable the onboard network interface card and use an external network interface card. Dell Laptop with PCMCIA - INTEL PRO-100 SR Combo Mobile Adapter NetScreen-Remote will not install properly on Dell laptop PCs with the PCMCIA Intel PRO 100-SR Combo network interface card. W/A: You must use another network interface card in these systems. Windows 95 Systems Crash While Loading NetScreen-Remote Login On some Windows 95 systems the Authenticate and Go NetScreen-Remote Login application may randomly exit with an error message until the system is rebooted. W/A: Reboot your Windows 95 system. Point-to-Point Protocol (PPPoE) Software for DSL Connections Required Before NetScreen-Remote Installation Make sure that your system has PPPoE installed and operational on it before installing NetScreen-Remote. The installation of PPPoE software on a system that has NetScreen-Remote installed removes some network components. W/A: If the system does not have NetScreen-Remote installed, install the PPPoE software first, and then install NetScreen-Remote. If the system already has NetScreen-Remote installed, uninstall NetScreen-Remote, choose the Save Policy and Certificates option, and then after rebooting, install the PPPoE software. As a last step, reinstall NetScreen-Remote. 3Com Smart Agent Software Compatibility You cannot install NetScreenRemote properly if 3Coms Smart Agent software is loaded on the device before installing NetScreen-Remote.
W/A: Smart Agent software must be installed after NetScreen-Remote. NetScreen-Remote Incompatible With Earthlink Software Incompatibility with Earthlink Internet Software version 5.02. W/A: You still can access Earthlink via a standard dial-up networking configuration. To access this environment, uninstall the Earthlink software. Earthlink Technical Support has been made aware of the situation and can assist in setting up a standard dial-up configuration for access to Earthlink. Compatibility Issues with Sony Vaio and 3COM 3CCFE575CT CardBus PC Card The 3COM 3CXFE575CT 10/100 LAN CardBus PC Card is not compatible with Sony Vaio notebook computers. After the client is installed, the computer requires an Ethernet cable to be attached in order to boot. This NIC card works fine in other computers. W/A: Use hardware profiles to disable the NIC card, or remove the Ncard when the omputer is not attached to the network. On 95/98/ME, the Entegra USB has problems with suspend/standby The Entegra USB has problems when returning from suspend mode in that the interface is not always present. W/A: Unplug the adapter and plug it back in. RequestLocalAddress and Dialup Interfaces Failure The RequestLocalAddress feature fails and dialup interfaces are not detectedproperly in the Log Viewer on clients that also have the Nortel client installed and the DN (Distinguished Name) bound to the Nortel IPSECSHM. You cannot connect using Windows 2000 and XP RAS connections when the DN is bound to the Nortel IPSECSHM. W/A: In the Windows Device Manager, disable the IPSECSHM Deterministic Network Enhancer Miniport to direct the system to detect the dialup interfaces properly and to establish sessions.
W/A: Use ESP mode QA023299 If a user attempts to import a security policy that exceeds the free space of the Registry, SPEDIT crashes and the previous policy is deleted from the Registry. W/A: Adjust the size of the registry. QA023377 Client cannot pass traffic with Secure All (VA) policy when the physical address of the client is on a subnet that matches the subnet of the remote party. W/A: Do not use VA for this connection. QA024149 VA cannot be connected when using Senforce firewall. W/A: Do not use the virtual adapter when using the Senforce firewall.. QA024215 Ipsecmon crashes on automatic cert retrievals when using Axis client with Ikey token. W/A: Manually retrieve certificates with Certificate Manager. QA024694 Client machine (with Greenborder Security Agent installed) freezes when user tries to request a certificate. W/A: The Greenborder Security Agent is not supported with SoftRemote. QA024992 Client machine may freeze when IKE service is stopped and started while sending traffic. W/A: This behavior is only observed if the if the IKE service is started while the client machine is sending traffic to a secure peer. Stop sending secure traffic if you need to restart the IKE service. QA025016 Client machine freezes if the user clicks on the NIC properties Cancel button twice. Only observed on Windows 2000. W/A: Do not click on the Cancel button a second time. Wait for the properties box to close. QA025193 When VA connections are established, existing non-VA connections may stop passing secure traffic. W/A: Check the Only Connect Manually checkbox on the non-VA connection. QA025666 Connections using TCP encapsulation may interfere with non-TCP encapsulation connections to the same gateway. W/A: Do not configure TCP encapsulation connections and non-TCP encapsulation connections to the same gateway.
QA025667 Deleting user certificates causes secure connections to drop. W/A: Do not delete user certificates while a secure connection is established.
QA021577 Post negotiation status dialog in upper-right hand corner of screen may report false connection status information. W/A: Confirm status of connection negotiation in client log viewer.
QA021778 When log file is printed, the text does not fit on the page. W/A: Adjust the margins in text editor or enable word-wrap.
QA022921 Setting the redialing option; Idle time before hanging up causes the VA to disconnect even if there is continuous traffic passing across the VPN. W/A: Set the Idle time before hanging up: for the Virtual Adapter to never.
QA024995 Client cannot pass secure traffic with VA disabled. This behavior only occurs after the WAN interface has been selected under the My Identity section of a connection, and then the connection is later established over ethernet. W/A: Delete the NET_INTFC registry entry from HKEY_LOCAL_MACHINE\SOFTWARE\IRE\SafeNet/SoftPK\ACL\connection#\MYID or Use the Virtual Adapter.
QA021977 Virtual Adapter fails to disconnect occasionally W/A: Right click VA icon and disconnect manually.
QA022029 Other Connections set to block are not blocked if interface is specified. W/A: Do not click on the Cancel button a second time. Wait for the properties box to close.
QA022930 In situations where redundant gateways are used, if the primary and redundant gateways are in the same subnet, and the primary gateway is not available, the connection will fail. W/A: Do not place the primary and the redundant gateways in the same subnet.
QA032821 Newly imported certificates are sometimes not auto-selected with auto-cert on Vista. W/A: Specify the certificate to be used or restart the system and retry.
QA032517 WLAN interfaces are not listed under My Identity\Internet Interfaces in the policy editor on Vista systems. W/A: Do not specify the interface in the policy and allow it to be automatically
discovered. QA032188 VA adapter does not work on Vista. W/A: New mode config VRS functionality allows DNS to be utilized with mode config only, no VA required. QA032782 VA-Light - VRS lacks support for WINS Mode Config Assignment on Vista clients. WINS is not support on Vista in this release. W/A: Perform all name resolution via Mode Config assigned DNS. QA032231 Cannot use certificate on smartcard for secure connections when UAC is enabled on Vista systems. When using a certificate on a smartcard for a secure connection with a UAC enabled account, the IKE negotiation hangs. W/A: Disable User Account Control from User Accounts in the Control Panel. Reboot for the new UAC changes to be active.
W/A: Do not use the virtual adapter when using the Senforce firewall. QA024215 Ipsecmon crashes on automatic cert retrievals when using Axis client with Ikey token. W/A: Manually retrieve certificates with Certificate Manager. QA024694 Client machine (with Greenborder Security Agent installed) freezes when user tries to request a certificate. W/A: The Greenborder Security Agent is not supported with this and previous versions of the software. QA024992 Client machine freezes when ike is stopped and started while sending traffic. W/A: This behavior is only observed if the if the IKE service is started while the client machine is sending traffic to a secure peer. Stop sending secure traffic if you need to restart the IKE service. QA025016 Client machine freezes if the user clicks on the NIC properties Cancel button twice. This is only observed on Windows 2000. W/A: Do not click on the Cancel button a second time. Wait for the properties box to close. QA025193 When VA connections are established, existing non-VA connections may stop passing secure traffic. W/A: Check the Only Connect Manually checkbox on the non-VA connection. QA021577 Post negotiation status dialog in upper right hand corner of screen may report false connection status information. W/A: Confirm status of connection negotiation in client log viewer QA021778 When log file is printed the text does not fit on the page. W/A: Adjust the margins in text editor or enable word-wrap. QA022921 Setting the redialing option; "Idle time before hanging up" causes the VA to disconnect even if there is continuous traffic passing across the VPN. W/A: Set the Idle time before hanging up: for the Virtual Adapter to never. QA024995 Client cannot pass secure traffic with VA disabled. This behavior only occurs after the WAN interface has been selected under the "My Identity" section of a connection, and then the connection is later established over Ethernet. W/A: Delete the NET_INTFC registry entry from HKEY_LOCAL_MACHINE or use the Virtual Adapter.
QA025008 Certificate pin is not encrypted in memory. W/A: Do not use the CERTIFICATEPIN registry entry. Enter the pin manually when prompted
QA021809 When defining a subnet, a subnet value that does not match should automatically correct the mask. W/A: Use default gateway on remote network.
QA021977 VA fails to disconnect occasionally. W/A: Right click VA icon and disconnect manually.
QA022029 Other Connections set to block are not blocked if interface is specified. W/A: Set internet interface to ANY.
QA022930 In situations where redundant gateways are used, if the primary and redundant gateways are in the same subnet, and the primary gateway is not available, the connection will fail. W/A: Do not place the primary and the redundant gateways in the same subnet.
QA019869 Invalid data is accepted when entered into the secure gateway tunnel fields. W/A: Remove the incorrect data from the field then re-save the policy.
QA020998 On Windows 2000, you cannot complete a connection to a Cisco 2621 Router with the Virtual Adapter enabled. W/A: Set Virtual Adapter to disabled.
QA021575 After retrieving policy from SMC, a client can require a manual policy reload. W/A: If connections in retrieved policy are not available, click Reload Security Policy.
QA021577 Post negotiation status dialog in upper right-hand corner ofscreen can report false connection status information. W/A: Confirm status of connection negotiation in client log viewer.
QA021778 When log file is printed, the text does not fit on the page. W/A: Adjust the margins in the text editor or enable word-wrap capability. QA022921 Setting the redial option; Idle time before hanging up causes the VA to disconnect even if there is continuous traffic passing across the VPN. W/A: Set the Idle time before hanging up for the Virtual Adapter to never.
QA021977 Safenet VA fails to disconnect occasionally. W/A: Right click VA icon then manually disconnect. QA021809 When a subnet value does not match, the device should automatically correct the mask. W/A: Use the remote network default gateway.
QA022029 Other Connections set to block are not blocked if an interface is specified. W/A: Set internet interface to any.
QA022930 The connection fails in situations where redundant gateways are used, if the primary and redundant gateways are in the same subnet, and the primary gateway is not available. W/A: Do not place the primary and the redundant gateways in the same subnet.
Network Enhancer Miniport Followed by the name of the physical network adapter. This is a Windows bug fixed in Windows 2000 Service Pack 4. 20837 The About page on the Sygate Help system displays the wrong version for NetScreen-Remote: NetScreen-Remote Security Client 5.5 Version 8.5 The top line should indicate the version is 8.5 20834 After retrieving an SPD file using the ANG (Authentication and Go)feature, the connection may fail with an error message: There is no pre-shared key for this Policy entry. W/A: Manually reload the security policy. To do so, right click the NetScreenRemote taskbar icon and select the Reload Security Policy option.
N/A The Security Policy Editor and Connection Monitor options do not display by default in the taskbar menu. These options are available through the Windows Start Menu. To make the options visible, change the followingsettings in the [Entries Popup] section of the NetScreen-Remote oemexts.ini file: [Entries Popup] Security Policy Editor = Yes Connection Monitor = Yes
Use a hosts file for any device that needs to be accessed using a DNS name. Configure the Virtual Adapter DNS as the Primary DNS on the remote NIC adapter. Create a policy in NetScreen-Remote to send all traffic through the VPN as opposed to using split tunneling. QA019869 When invalid data is entered into the secure gateway tunnel fields, the tunnel incorrectly forwards the data. W/A: Remove the incorrect data from the field and resave the policy.
18781 The Cancel Installation feature does not work when you attempt to halt the installation. The Sygate portion of the product continues to install. 14679 When attempting to delete Proposal 1 in a configuration with multiple Phase 1/Phase 2 proposals defined, the screen is not correctly updated. If the configuration is saved after deleting proposal 1, the next proposal (Proposal 2) will be assigned the values that were previously configured for Proposal 1 (which had been deleted, but is still visible). W/A: After deleting the proposal, click on any other link in the left pane, then go back to the proposal list.
4136 A non-administrator logon SCEP request will not retrieve the RA Certificate. If logged on as a non-administrator, the Import Personal Cert window remains open with no prompt or error message after attempting to place the certificate in the local machine store, which is the default setting in Advanced properties. W/A: Open the Advanced Tab in the SCEP request form, and uncheck the box to place the certificate in the local machine store if logged on as a non-administrator when importing a personal certificate.
03456 When you use KBytes as the criteria to trigger a P2 rekey, a P2 Rekey sometimes fails after the P1 expires. 3198 You cant specify an interface and use the Virtual Adapter. If the Internet interface in the MY ID section of a connection is set to something other than Any, a VA connection will fail with the following errors: 15:26:52.998 15:26:53.008 15:26:53.008 15:26:53.008 15:26:53.008 Failure finding or creating filter entry. Failure finding or creating filter entry Key download failed. Error downloading key. Failed loading the keys.
W/A: Set the Internet interface for the effective connection to Any, or set VA to disabled. Incorrect registration inform displays in some areas of the software.
6.6.13 The following are known issues from the SafeNet known issues documentation.
5446 If logged on as a Non Administrator, the Import Personal Certification dialog box remains open with no prompt or error message after attempting to place the certificate in the local device store due to the check box. 5444 If logged on as a non-administrator, the Import Personal Certificate window remains open with no prompt or error message after attempting to place
the certificate in the local device store, which is the default setting in the Advanced Properties environment. 5395 The route adding operation fails when using the virtual adapter and both peers undergo a Network Address Translation (NAT) operation and the private IP address on both networks are the same. In an environment where a NAT operation has occurred, if both private networks have the same address space, the phase 1 completes as expected. But when the route adding process occurs, it fails with error code 0000003A. 5318 The logging facility reports an error associated with an Internet interface on connections that have remote gateways specified. The following message is displayed: Error updating filter record 5317 The manual connection on Windows 9x platforms to a remote subnetwork (or range) specified with an address, reports a failure with Request Local Address functions. This problem is because Windows 9x does not generate traffic to such addresses. 4933 The NetScreen-Remote device fails when trying to map a drive over a secure Pointto-Point-Protocol-Over-Ethernet (PPPoE). Connection may require a system restart. 4687 -- When attempting to create a dialup virtual adapter session with only one dialup adapter present on the NetScreen device, the IPSec SA completes even though the virtual adapter has not been added. The log shows a virtual interface constructed, but no message the virtual adapter added. 4657 If you enter an underscore character in an SCEP request to SMC in the Common Name filed, the Common Name may be corrupted after retrieval. The Common name retrieved is a pound sign(#) followed by a longnumeric string. 4606 When selecting the Device Connection Authentication and Remote Upgrade option for a NetScreen-Remote client installation on a Windows 2000 platform, the NetScreen device displays the following error message: Digital Signature not Found for Crypto OSD Adapter 4506 If the Internet interface in the MY ID section of a connection is set to a value other than Any, virtual adapter connections will fail with the following errors: Failure finding or creating filter entry Key download failed. Error downloading key. Failed loading the keys.
certificate in the local machine store due to the check box. W/A: The check box for Place certificate in local machine store should be unchecked if logged on as non-admin when importing a personal certificate. 5444 If logged on as Non-Admin the Import Personal Certificate window remains open with no prompt or error message after attempting to place the certificate in the local machine store, which is the default setting in advance properties. W/A: Open the advance tab in the SCEP request form and uncheck the box to place certificate in local machine store if logged on as non-admin when importing a personal certificate. 5443 SPDedit Other Connections Secure connection with Connect Using checked. Set ID Type to Any then deselect the Connect Using checkbox. Save the policy then close and reopen the SPDedit utility. The Gateway IP Address remains enabled. W/A: Check Connect Using set ID type to IP Address deselect Connect Using and save the policy. 5438 Unable to save policy from GUI after importing unlocked policy over a locked policy. W/A: Close and reopen the SPD edit utility or close the SPD edit utility and save it at the prompt. 5395 In an environment that has undergone a Network Address Translation (NAT), if both private networks have the same address space (In the test it is 172.16.x.x/255.255.0.0), the phase 1 completes as expected however, when the mode config attributes are applied, the virtual adapter is created, but when the route add is issued (route add 10.100.200.254 mask 255.255.255.255 172.16.50.1) it fails with error code (0000003A). W/A: If the virtual adapter is not used the connection works as expected. If the mode config address and the physical address are not on the same logical subnet, then the virtual adapter works as expected. 5318 Log viewer reports Error updating filter record when specifying an Internet Interface on connections that have remote gateway's specified. W/A: Do not specify an Internet Interface on connections that have remote gateways, use the manual connect only option or specify Any for the Internet interface setting. 5317 Manual connect on 9x platforms to a remote subnet (or range) specified with an address which is apparently (by address class) a subnet address will report a RequestLocalAddress failure. (This is because 9X willnot generate traffic to such addresses.) W/A: Initiate traffic to establish the tunnel such as a ping, WEB, Mail or FTP traffic.
5311 Manual disconnects from a 2nd remote gateway reports unable to disconnect. Disconnecting from the 1st remote gateway works as expected. W/A: Use the Disconnect All option from the tray icon when connections have failed over to a 2nd remote gateway.
4933 System hangs when trying to map a drive over a secure PPPoE connection and may require a system restart. W/A: The client will Map drives using RASPPPoE software. Free download link, http://user.cs.tu-berlin.de/~normanb/#Download
4858 Double and Triple XAuth prompt occurs on connections that failover to a remote gateway with virtual adapter connections. Remaining key request from the primary Gateway trigger a second rekey to the failover Gateway when using virtual adapter. W/A: Lower the retransmit interval from 15 seconds to 5 seconds in Global Policy Settings of Policy Editor.
4778 Policy entry for SENDCERT_TYPE not honored by IKE. This allows the client to send a pkcs7 certificate chain even when the peer requests an x509 certificate. W/A: Either the gateway should send a PKCS#7 certificate request or the gateway should be able to verify the chain itself, if it asks for a x509 certificate and the client responds with one.
4687 When attempting a dial-up virtual adapter session with only one dial-up adapter present on the machine (i.e., improper configuration), the IPSec SA completes even though the virtual adapter is not added. The log shows a virtual interface constructed but no message for virtual adapter added. W/A: Verify that two dial-up adapters are present on the machine before attempting dial-up virtual adapter sessions.
4679 If a connection configured to use a selected certificate is changed to use preshared key, if the change is not saved and the focus is changed to another connection and then back to the MYID page, the ID has reverted back to the certificate. This does not happen when changing from Autocert to preshared key. W/A: Save policy after making these changes or correct the connections MYID by editing or re-importing the policy if this condition occurs.
4506 If the Internet Interface in the MY ID section of a connection is set to something other than Any, a virtual adapter connections will fail with the following: 15:26:52.998 Failure finding or creating filter entry 15:26:53.008 Failure finding or creating filter entry 15:26:53.008 Key download failed. 15:26:53.008 Error downloading key. 15:26:53.008 Failed loading the keys W/A: Set the Internet Interface for the effective connection to Any or set virtual
adapter to disabled. 3700 When requesting an SCEP certificate, the CA accepts a valid request, but upon retrieval the Certificate Manager cannot decrypt the reply with his private key because the Private key was generated with a Microsoft Base CSP or an RSA Keon CSP on Win 95, 98, NT (works on Windows 2000).However, file based certificates can still be imported. W/A: Install IE 5.5+ and the request and retrieval will work properly. 3641 On Windows 2000 and Windows XP, the dial-up adapter is not available in the drop down list until the dial connection is established. The PPP adapter is not available in the drop down list under the MY IDENTITY -INTERFACES on Windows 2000 until the dial connection is made. W/A: Once the dialup connection is made, you can choose the proper adapter. After you disconnect, the interface selection defaults back to ANY. 3531 Sometimes on Windows 98 you are unable to import or export a PKCS#12 certificate/key file due to the following leftover registry key:HKEY_CURRENT_USER\Software\Microsoft\Cryptography\UserKeys\IRENUL LKEY. W/A: Delete the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Cryptography\UserKeys\, and delete the IRENULLKEY.
7. Getting Help
For further assistance with Juniper Networks products, visit http://www.juniper.net/support. Juniper Networks occasionally provides maintenance releases (updates and upgrades) for ScreenOS firmware. To have access to these releases, you must register your NetScreen device with Juniper Networks at the above address. Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and SteelBelted Radius are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051,
6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785. Copyright 2009, Juniper Networks, Inc. All rights reserved. Printed in USA No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from: Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089-1206 U.S.A. ATTN: General Counsel www.juniper.net